"The entire certificate chain of the signer, including the root certificate, ...
Well, you can have root/trusted cert in the signed document but you also MUST have it in the client in order to establish trust.
X509Data elements. Each of the X509Data elements shall correspond to one certificate in the chain, and contain one X509IssuerSerial element and one X509Certificate element. The certificates may appear in any order." The research I've done seems to indicate that the entire certificate chain must be in one X509Data element. Unfortunately I've not been able to get a definitive statement from the XML Digital Signature page that says that. While researching this email, I just noticed the bit about the
From XMLDsig spec An X509Data element within KeyInfo contains one or more identifiers of keys or X509 certificates.... My reading of this is that each X509Data element is a self contained "pointer" to the key/certificate. Though, I can see arguments against it.
I have a couple of questions then. Suppose I am unable to convince the author that his version is incorrect, and I have to work under those constraints. How would you go about it? I have a few ideas, but I would appreciate the advice.
Well, nothing is impossible, it's only software :) Probably the easiest change to xmlsec would be to accumulate the content of all the X509Data elements before actually processing them. Should not be too bad from implementation point of view.
Second, a more philosophical question I suppose. How much of a fight should I put up on this? Or am I completely mistaken in my assessment?
I would say that this significantly depends on the goals of your project and the behavior of other XMLDSig implementations (sorry, I never run into this problem before). If all other toolkits are different from xmlsec then xmlsec needs to be fixed :) If you project does not care about interoperability (though it might be a bad idea long term)
then this is one story. If you want to have interoperability and all other XMLDsig toolkits do the same as xmlsec does then it is another story. BTW, please if you will be doing research of other xmldsig toolkits behavior then I would really appreciate if you can post your results here. Thanks, Aleksey _______________________________________________ xmlsec mailing list [email protected] http://www.aleksey.com/mailman/listinfo/xmlsec
